From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 836E015802F for ; Fri, 10 Mar 2023 03:53:59 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 6EC40E0869; Fri, 10 Mar 2023 03:53:58 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 51698E0869 for ; Fri, 10 Mar 2023 03:53:58 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 2E37634027D for ; Fri, 10 Mar 2023 03:53:57 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 7F06488E for ; Fri, 10 Mar 2023 03:53:55 +0000 (UTC) From: "Sam James" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sam James" Message-ID: <1678420299.40de849d06e7fce4c95bc436399aa04310af7812.sam@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: net-firewall/nftables/ X-VCS-Repository: repo/gentoo X-VCS-Files: net-firewall/nftables/nftables-1.0.6.ebuild X-VCS-Directories: net-firewall/nftables/ X-VCS-Committer: sam X-VCS-Committer-Name: Sam James X-VCS-Revision: 40de849d06e7fce4c95bc436399aa04310af7812 X-VCS-Branch: master Date: Fri, 10 Mar 2023 03:53:55 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: a1567c3a-a0ec-4bbd-9438-53118b5e73e1 X-Archives-Hash: 990defe4bcc63b3e9780c06903e2c49c commit: 40de849d06e7fce4c95bc436399aa04310af7812 Author: Kerin Millar plushkava net> AuthorDate: Thu Mar 9 18:11:14 2023 +0000 Commit: Sam James gentoo org> CommitDate: Fri Mar 10 03:51:39 2023 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=40de849d net-firewall/nftables: Don't test iptables-nft rulesets in pkg_preinst() Rulesets generated by iptables-nft are special in nature and will not always be printed in a way that constitutes a valid syntax for nft(8). Consider the following example in which iptables-nft would ideally have generated a native rule that specifies "reject with tcp reset". Instead, it generated a rule that integrates with an xtables target. # iptables-nft -S -A INPUT -j REJECT --reject-with tcp-reset # nft list ruleset # Warning: table ip filter is managed by iptables-nft, do not touch! table ip filter { chain INPUT { type filter hook input priority filter; policy accept; counter packets 0 bytes 0 xt target REJECT } } Simply ignore the ruleset in the case that it appears to have been generated by iptables-nft. Signed-off-by: Kerin Millar plushkava.net> Signed-off-by: Sam James gentoo.org> net-firewall/nftables/nftables-1.0.6.ebuild | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/net-firewall/nftables/nftables-1.0.6.ebuild b/net-firewall/nftables/nftables-1.0.6.ebuild index e434040260a7..69e3d6988f20 100644 --- a/net-firewall/nftables/nftables-1.0.6.ebuild +++ b/net-firewall/nftables/nftables-1.0.6.ebuild @@ -167,8 +167,21 @@ src_install() { } pkg_preinst() { + local stderr + if [[ -d /sys/module/nf_tables ]] && [[ -x /sbin/nft ]] && [[ -z ${ROOT} ]]; then - if ! /sbin/nft -t list ruleset | "${ED}"/sbin/nft -c -f -; then + # Check the current loaded ruleset, if any, using the newly + # built instance of nft(8). + if ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1 >"${T}"/ruleset.nft); then + # Report errors induced by trying to list the ruleset + # but don't treat them as being fatal. + printf '%s\n' "${stderr}" >&2 + elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then + # Rulesets generated by iptables-nft are special in + # nature and will not always be printed in a way that + # constitutes a valid syntax for ntf(8). Ignore them. + return + elif ! "${ED}"/sbin/nft -c -f "${T}"/ruleset.nft; then eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of" eerror "nft. This probably means that there is a regression introduced by v${PV}." eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)"